Set a CSP header on all attachments

author Magnus Hagander <magnus@hagander.net>

Mon, 1 Dec 2025 17:45:01 +0000 (18:45 +0100)

committer Magnus Hagander <magnus@hagander.net>

Mon, 1 Dec 2025 17:45:01 +0000 (18:45 +0100)
author Magnus Hagander <magnus@hagander.net>
Mon, 1 Dec 2025 17:45:01 +0000 (18:45 +0100)
committer Magnus Hagander <magnus@hagander.net>
Mon, 1 Dec 2025 17:45:01 +0000 (18:45 +0100)
diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py

index c1118ac69cd506805285732a52c6848cce731124..fe74f7cd4d94d0963a9a83add7defb9ca5d9d265 100644 (file)
--- a/django/archives/mailarchives/views.py
+++ b/django/archives/mailarchives/views.py
@@ -395,6 +395,7 @@ def attachment(request, attid):
  
      return HttpResponse(bytes(r[0][3]), content_type=r[0][1], headers={
          'X-attached-to-message': r[0][2],
+        'Content-Security-Policy': "default-src 'none'",
      })
author	Magnus Hagander <magnus@hagander.net>
	Mon, 1 Dec 2025 17:45:01 +0000 (18:45 +0100)
committer	Magnus Hagander <magnus@hagander.net>
	Mon, 1 Dec 2025 17:45:01 +0000 (18:45 +0100)